Fourteen months after publication, the Select Committee report on “Personal Internet Security” was finally debated on the floor of the House of Lords. Since we produced the report much has happened. There have been the well-publicised data losses at HM Revenues and Customs and from other Government departments and agencies. And indeed today, we hear of the loss by EDS of an MoD hard drive containing the details of 100,000 service men and women. This all confirms my view that the Committee was absolutely right to call for a Data Breach Notification law in the UK.
This is, of course, about the culture within organisations – every employee has got to understand the importance of maintaining data security and their responsibility for doing so. Perhaps if people recognised the potential value of personal data they might be less cavalier in its treatment. For many people, a stolen identity will take weeks or months of effort to sort out. The FSA estimate that the cost of identity fraud in the UK (admittedly using a fairly wide definition) is around £1.7 billion. During the inquiry we were told by Team Cymru that on a single server in a typical month there were for sale the data from 32,000 compromised Visa cards, and 13,000 Mastercards. The price nearly three years ago was $1 for a US card, $2 for a UK card. Associated data was also for sale including the card-holder’s mother’s maiden name etc.
Perhaps if employees were told that each personal record was worth at least £100 – they might treat a memory stick or for that matter that MoD hard drive containing a hundred thousand personal records as though it was worth £10 million – certainly with more respect.
It maybe that engendering such a change in culture will require more than a Data Breach Notification Law. Perhaps we need something more akin to the framework created by health and safety legislation, where every manager would have to take personal responsibility for delivering information security in their area or face prosecution. And perhaps we need an IT equivalent of the US Sarblanes-Oxley requirements to make people at Board level take their responsibilities to heart.
Today’s first day of the Committee Stage of the Counter-Terrorism Bill has already produced a spate of woolly thinking from both the Conservatives and the LibDems.
Less than twenty lines into the Bill, Baroness Hanham, the Tory spokeswoman, proposed that the decision on whether to remove a document for further examination from the premises of a suspected terrorist during a search would have to be taken by a police officer of at least the rank of Inspector. The idea presumably was that in the height of a counter-terrorist operation with possibly many properties being searched police officers would have to be queuing up to wait an Inspector’s decision on what could be taken away. Anyway, the Tories saw this as putting themselves at the vanguard of the civil liberties movement. The effect was rather weakened by another amendment they moved slightly later that would have removed the requirement to return documents removed that turn out not to be relevant within 48 hours. I rather think that anyone whose house is raided and searched would rather have a legal guarantee that any papers removed will be returned within 48 hours than the knowledge that someone with two pips on their shoulder had authorised the removal.
Shortly afterwards, Baroness Miller for the LibDems offered their version of insightful thinking: an amendment to provide every suspected terrorist with a document setting out how any papers seized might fit into the investigation against them. Hardly practical policing!
Still today was just the warm-up – Monday will bring the debate on 42 days and all that.
The first day back after the recess is like the first day of a new school term: endless inquiries about have you had a good holiday (for me the holidays seem like – and were – weeks ago). The House was in a very good humoured mood at the first question time with tributes to the outgoing Leader (Cathy Ashton – off to be the new Peter Mandelson in Brussels) and courteous welcomes to Ministers performing in their new roles for the first time.
Lord Strathclyde, the Leader of the Opposition, informed the House that he knew that Cathy had not been expecting the move and he could testify to this, having been having lunch with her when the call came from No 10. Jan Royall, the new Leader of the House, then regaled everyone with the fact that she had been having a swim when the Prime Minister’s phone call came. (There is a worrying emphasis on fitness amongst our new leadership – Steve Bassam, the new Lords Chief Whip, told me that he was in his running shorts about to go for a jog when his call came.) Finally, Andrew Adonis, the new transport minister having been promoted from his previous job in education, told the House that he had been at the Wallace Collection when the Prime Minister phoned and had been roundly ticked off for taking a call there by one of the custodians.
Pleasantries over the House then got stuck into the minutiae of the Planning Bill for the next seven hours.